On Wed, 2020-11-18 at 14:32 -0500, Steve Grubb wrote:
On Thursday, November 12, 2020 2:45:41 PM EST Steve Grubb wrote:
A new version of libcap-ng is going to be released next week. Normally this isn't newsworthy, nor is this a soname version bump. But it is important to let the broader community know something about it. The behaviour of capng_apply is changing slightly.
In the past, capng_apply would silently eat errors when the bounding set could not be changed. In order to change the bounding set, you have to have
CAP_SETPCAP. A developer reported an issue in github where their project needed to know that capng_apply was completely successful changing the bounding set. Meaning that they need an error returned. I didn't think too much of it and made the change.
Then one day I noticed that I could not update a package against Fedora's git or push a change. Looking into this, I found gnome-keyring was not working. [1] I dug into the source code and found that it was trying to change the bounding set when it had partial capabilities. The fix is to simply verify that you have CAP_SETPCAP before attempting this.
I don't know of any other software that is affected. But I wanted to give everyone a heads up before I push it out. I always dogfood libraries I work on, so maybe this is the only issue.
Eventually libcap-ng needs to get pushed over to F33 because there is a problem with ambient capailities that the new release fixes. And speaking of ambient capabilities, the new version of libcap-ng contains a new library libdrop_ambient.so. You can use it with LD_PRELOAD to force an app to drop ambient capabilities leaving the other capabilities intact. All the work is done in the constructor, so no function calls are needed.
Hello,
The new libcap-ng has been built into rawhide.
...and it does break gnome-keyring, and it also breaks cifs-utils (so you can't mount CIFS/SMB shares), as per this upstream bug report:
https://github.com/stevegrubb/libcap-ng/issues/21
whose reporter also noted what looks like a valid problem in your gnome-keyring fix.
Was it really necessary to build this when you *knew* a major package did not work with it? Did you talk to the Workstation folks about getting the patch applied to gnome-keyring?
desktop@lists.fedoraproject.org